Topic-specific policies
ISO/IEC 27032


Search this site
 
ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27032:2023  — Cybersecurity — Guidelines for Internet security (second edition)

 

Abstract

“[ISO/IEC 27032] provides:
    • an explanation of the relationship between Internet security, web security, network security and cybersecurity;
    • an overview of Internet security;
    • identification of interested parties and a description of their roles in Internet security;
    • high-level guidance for addressing common Internet security issues.
       

    [The standard] is intended for organizations that use the Internet.”

[Source: ISO/IEC 27032:2023]
 

Introduction

ISO/IEC 27032 addresses Internet security i.e. “protecting Internet-related services and related ICT systems and networks as an extension of network security”.

 

Scope and purpose

The abstract above covers the scope and purpose.

The introduction notes that “[ISO/IEC 27032] does not specifically address controls that organizations can require for systems supporting critical infrastructure or national security. However, most of the controls mentioned in [ISO/IEC 27032] can be applied to such systems.” In other words it primarily concerns the ordinary everyday network security threats facing all Internet users, particularly businesses rather than the more extreme spooky threats of concern in the governmental and defence domain.

 

Structure and content

The five main sections are:

  1. Relationship between Internet security, web security, network security and cybersecurity.
  2. Overview of Internet security.
  3. Interested parties.
  4. Internet security risk assessment and treatment.
  5. Security guidelines for the Internet.

    6. Annex A. Cross-references between this standard and ISO/IEC 27002.

The annex cites a reasonable assortment of 50 controls from ISO/IEC 27002:2022

  • 25 Organizational controls;
  • 2 People controls;
  • 0 Physical controls; and
  • 23 Technological controls.
     

Status of the standard

The first edition was published in 2012.

The second, thoroughly revised edition was published in 2023.

 

Personal comments

See also ISO/IEC 27100.

Over the last decade or so, “cyber” as in “cybersecurity” has gradually become a buzzier buzzword and yet doubts and disagreements over what it actually means persists. SC 27 had the opportunity to clarify cyber-related terms when revising this standard but the second edition simply reproduces the definition of cybersecurity from ISO/IEC TS 27100:2020 vis “safeguarding of people, society, organizations and nations from cyber risks  Note 1 to entry: Safeguarding means to keep cyber risk at a tolerable level.” ... but fails to define “cyber risk”, failing yet again to clarify what it is that we are supposedly being safeguarded against. Other cyber terms defined in the first edition have simply been dropped.

Meanwhile, the second edition remains myopically focused on deliberate attacks perpetrated via the Internet by hackers, malware, phishers and spammers.

I’ve taken the liberty of elaborating on the scope diagram from the standard, highlighting in yellow the coverage area and adding an outer circle for the field of information security as a whole:

 

27032 scope diagram extended by GH

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2025 IsecT Ltd. Contact us re Intellectual Property Rights